Unsure of next steps to implement Password Policy Overlay with OpenLDAP on Ubuntu 10.

User Name

Remember Me?

Password

Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Introduction to Linux - A Hands on Guide

This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.

Unsure of next steps to implement Password Policy Overlay with OpenLDAP on Ubuntu 10.

I am testing OpenLDAP version 2.4.21 on Ubuntu 10.04. I have successfully installed it following guides here and here. I can authenticate users on a client server I set up for testing.

My next step is to turn on a password policy. This is where things have gotten a bit hazy for me and I'm hoping someone can help suss things out. I followed the steps for converting ppolicy schema to an ldif file and then adding it to the cn=config directory and verified that it shows up there:

So this policy is supposed to implement some basic password policy (expires every 90 days, can't use the last 3 password, you get a 7-day warning that you're password is about to expire), but I can't figure out how to link this policy with...whatever it's supposed to link with. As per http://www.openldap.org/doc/admin24/overlays.html I'm supposed to

Quote:

Instantiate the module in the database where it will be used, after adding the new ppolicy schema and loading the ppolicy module.

I think I've already added the schema, but I can't find anything that clearly details how to accomplish the other two steps. The Zyrtax site does say

Quote:

The ppolicy overlay is invoked for the DIT by the following additions to the configuration file (or using the equivalent olc values if cn=config is active)

but I'm not actually getting what that means. Can anyone shed some light on this in plain, layman's terms?

To be more explicit, I guess the examples from the web tutorials show how to do this using the standard slapd.conf configuration, but my setup is using cn=config database for configuring slapd. This is how it installed from the Ubuntu repository (not that I knew there was a difference when I installed it). So, I'm not sure how to edit slapd using cn=config to load the ppolicy module and instantiate it in the database.

So, I figured I waited long enough for an answer to this and got nothing. No one helped on the IRC channels either. I'm disappointed in the lack of response but I've come to a workaround. Since I'm only using this for a very small deployment, I went ahead and used the shadowAccount objectClass and defined the attributes for each user individually. It baffles me that all of the documentation I found deals with editing slapd.conf when my understanding is that that's "old school" and the dynamic backend method is the way to go. In fact, I read that future versions of OpenLDAP would not be using slapd.conf at all.

Did the same steps you described with similar results (nothing). Did you get any other feedback? Also was not totally clear on the steps you did in your workaround as I could try that for now. Any help would be greatly appreciated....Thank you for any help you can provide. Been hitting against a brick wall....

I tried to put this project as far out of my mind as possible, since the amount of time I spent on it was ultimately more than it was worth for the end result, but let me see if I remember the workaround. There's a shadowAccount class that has attributes that can be used to set password expiration, minimum and maximum lengths, stuff like that, and I'm pretty sure it's there by default (i.e. no need to add in another schema or anything). So essentially what I did was to edit these values for each individual user. Since I was only doing this to authenticate admins who were logging in to the servers (and not trying to control a bunch of users' access to some sort of file sharing or anything like that) it turned out to be easier and quicker for me to just do this manually.

shadowMax is the one that tells you how long a password will be valid for. shadowWarning is how many days out users will get a warning that their password is due to expire. There are others, though not well-documented in openLDAP's documentation. I actually found a good guide to the attributes here: http://docs.redhat.com/docs/en-US/Re..._Reference.htm.

For what it's worth I downloaded and installed Apache Directory Studio and after getting it connected found it to be a very quick and easy way to both query and update the database. While I like knowing in theory how to do these things via the shell, the syntax and everything is just so damn confusing that this was really welcome.

Hello. Thank you so very much. Really appreciate your help on this. WIshing you a terrific night...

Quote:

Originally Posted by transient

Hi scman64. Sorry to hear you're having the same issues.

I tried to put this project as far out of my mind as possible, since the amount of time I spent on it was ultimately more than it was worth for the end result, but let me see if I remember the workaround. There's a shadowAccount class that has attributes that can be used to set password expiration, minimum and maximum lengths, stuff like that, and I'm pretty sure it's there by default (i.e. no need to add in another schema or anything). So essentially what I did was to edit these values for each individual user. Since I was only doing this to authenticate admins who were logging in to the servers (and not trying to control a bunch of users' access to some sort of file sharing or anything like that) it turned out to be easier and quicker for me to just do this manually.

shadowMax is the one that tells you how long a password will be valid for. shadowWarning is how many days out users will get a warning that their password is due to expire. There are others, though not well-documented in openLDAP's documentation. I actually found a good guide to the attributes here: http://docs.redhat.com/docs/en-US/Re..._Reference.htm.

For what it's worth I downloaded and installed Apache Directory Studio and after getting it connected found it to be a very quick and easy way to both query and update the database. While I like knowing in theory how to do these things via the shell, the syntax and everything is just so damn confusing that this was really welcome.